As boards grapple with continued advancements in AI, a pressing challenge is how to protect their organizations from increasingly sophisticated cyber threats without stifling innovation. in CBMAt our recent Board of Directors Summit, Alicja Cade, director of Google Cloud's Office of CISO, and David Homovich of Google's Office of CISO presented a solution-driven framework for tackling this complex problem. They pointed out that cybersecurity, especially in the age of AI, is not about discrete technology solutions, but rather the integration of digital defense, comprehensive risk management, regulatory compliance, and AI-powered innovation. Here are five key points.
1. Adopt a “common destiny” model to reduce cloud risks.
Cade advocated moving beyond the traditional “shared responsibility” model with cloud service providers to a “shared destiny” mindset. This approach brings both organizations and providers closer together to ensure seamless cybersecurity protection across a collaborative ecosystem. “We work closely with our customers along a shared destiny…Our goal is to ensure that their configurations are secure,” Cade explained. Homovich said cloud service providers are now working more collaboratively with enterprises, allowing for a more consistent and agile response to emerging threats and changing the way organizations and their partners address risk. He added that it reflects a major change.
2. View cybersecurity as a “team sport.”
Cybersecurity is not just the domain of IT and security teams, but requires the involvement of the entire organization, Cade said, adding, “Functional CEOs need to be aware and COOs need to understand what kind of cyber security they are dealing with.'' “We need to be aware of the risks we are putting ourselves at.” Whether it's people or technology, it's sitting. ” This approach helps foster a culture of shared responsibility and encourages board members to seek input from multiple departments to get a complete picture of the organization's risk posture. “The role of the board is important here, listening to all stakeholders from a risk management perspective and making sure all opinions are heard,” she said.
3. Prioritize rapid response and testing in AI governance.
The rapid pace of AI adoption means that cybersecurity frameworks must also evolve rapidly. “This is a race,” Cade said. “AI is being used on both sides of the moon, the dark side and the bright side.” He emphasized the importance of aligning AI and cybersecurity governance, and ethical considerations such as fairness and data protection. advised leaders to adopt clear and central policies on the use of AI, including: For effective preparation, Cade recommends regular testing and co-simulation with third parties: “If you rely on a provider, be sure to co-test the dependent processes.” I emphasized.
4. Use AI to address the “defender’s dilemma.”
For corporate security teams, “it's very difficult to get everything right,” says Cade. “On the other hand, the attacker only has to act correctly once.'' Therein lies the “defender's dilemma.'' AI automates detection, response time, and resiliency measures, providing tools that can help tip the scales in the defenders’ favor. Cade advised against building an siled AI governance structure, noting that cyber risk “shouldn’t just be the responsibility of the CISO.” It's built into the business process. ” For effective governance, AI must be integrated into existing frameworks so that it becomes part of an organization's broader risk and resilience architecture.
5. Build resilience by monitoring third-party and cloud risks.
With increased reliance on third-party providers, Homović emphasized the importance of robust third-party risk management, especially for “critical failure points.” Cade added: “It goes back to supply chain and third-party risk management. It's about really understanding your suppliers and it's an extension of what you're doing. They're part of the risk environment. ” Companies should monitor their suppliers' use of AI and ensure that third parties meet the same security standards they expect within their organizations. Cade also recommended joint testing with third parties. “Instead of just doing simulations in-house, do actual joint exercises.”
